Moonshot

Last updated: 
4 months 2 weeks ago
Group Manager
Project Moonshot is a Janet-led initiative, in partnership with the GÉANT project and others, to develop a single unifying technology for extending the benefits of federated identity to a broad range of non-Web services, including Cloud infrastructures, High Performance Computing & Grid infrastructures and other commonly deployed services including mail, file store, remote access and instant messaging. The goal of the technology is to enable the management of access to a broad range of services and applications, using a single technology and infrastructure. This is expected to significantly improve the delivery of these services by providing users with a common single sign-on, for both internal and external services. Service providers will be able to more easily offer their services to users from other organisations using a single common authentication mechanism. This will enhance the user’s experience, and reduce costs for those organisations supporting users, and delivering services to them. This group is for community of Moonshot users, whether you're new to the technology, you're currently evaluating and getting to grips with it, or you've deployed it. For the list of guidance available about Moonshot within this group, see the Start Here wiki page. Jisc Assent, the production service underpinned by the Moonshot technology, went live on 25th March 2015. For information on, or to join the Jisc Assent service, please visit http://www.jisc.ac.uk/assent
Log in to request membershipHide group description

Group administrators:

Recent members:

PAM GSS

12 July 2013 at 12:40pm

1. Introduction

pam_gss is a PAM module for linux, written by PADL Software Pty Ltd. This PAM module enables federated Moonshot login to several linux components.

2. Prerequisites

The instructions below make the following assumptions:

  • The moonshot-gss-eap and moonshot-ui packages are installed (see this page for instructions on this)
  • The machine has a local user that has either been mapped in the Moonshot glue database on the RADIUS server, corresponds to one of your test users in the FreeRADIUS users file, or matches a user returned by your chosen authentication method.
  • pam_gss currently requires that users have an eduPersonPrincipalName (eppn) asserted via SAML.

2. Installing pam_gss

pam_gss is available on github here. You can either grab the source and build it yourself, or use the precompiled .so files available here.

Place the pam_gss.so file in your /lib/security or /lib64/security directory. Set its permissions and ownership as follows (the following commands assume /lib64):

chmod 755 /lib64/security/pam_gss.so && chown root.root /lib64/security/pam_gss.so

Ensure SELinux is not in enforcing mode.

3. Configuring pam_gss

3.1 Attributes

pam_gss uses the GSSAPI attribute extractor, so if you have not configured one in the Shibboleth configuration, you must do so.

Edit /etc/shibboleth/shibboleth2.xml, then search for this line:

<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

Duplicate the line and modify the duplicate to look like this:

<AttributeExtractor type="GSSAPI" validate="true" reloadChanges="false" path="attribute-map.xml"/>

/Note: You may want to change the file name to avoid mixing XML and GSSAPI attributes, and maintain them separately.

Edit the file you specified for the GSSAPI attribute extractor, in the above example, it is /etc/shibboleth/attribute-map.xml, then insert this line:

<GSSAPIAttribute name="urn:ietf:params:gss-eap:federated-saml-attribute urn:oasis:named:tc:SAML:2.0:attrname-format:uri urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eppn" />

Save the file, then restart the Shibboleth service:

service shibd restart

You should check the /var/log/shibboleth/shibd.log file for any warnings.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
Linux
Moonshot
pam_gss